CVE-2024-50413: 
WordPress vulnerability analysis and mitigation

The Import and export users and customers WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-50413. The vulnerability affects versions up to and including 1.27.5 and was discovered by researcher UKO on October 12, 2024, with public disclosure on October 24, 2024. This security issue specifically impacts WordPress installations with the affected plugin, particularly in multi-site installations and where unfiltered_html has been disabled (WPScan, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS 3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The security flaw stems from insufficient input sanitization and output escaping in the plugin's functionality (Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability has been patched in version 1.27.6 of the Import and export users and customers plugin. Site administrators are advised to update to this version or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).